07.01. Identifying IS Audit Findings

Briefly reflect on the following before we begin:

• What are the key elements that make an audit finding significant?
• What factors determine the severity level of an audit finding?
• How do Audit Findings’ Five Cs (condition, cause, criteria, consequences, and corrective action) contribute to effective audit reporting?

Audit findings are the results obtained from the audit process, revealing insights into the organization’s information systems, processes, and controls. They are pivotal in determining the health and integrity of an organization’s IS environment. As such, auditors must possess a keen eye for detail and a robust understanding of what constitutes a finding of significance. Thus, this section will discuss the intricate process of uncovering, experiencing, and documenting these findings to equip you with the knowledge and skills necessary to identify significant audit findings effectively and efficiently.

A key aspect of identifying audit findings is understanding their nature and role, involving comprehending the purpose of audit findings, which goes beyond merely pointing out flaws or non-compliance. They serve as a tool for organizational improvement, offering insights and directions for enhancing IS practices. Therefore, auditors must approach findings not as ends but as means to promote better IS governance and risk management. The Five Cs of IS audit findings (condition, cause, criteria, consequences, and corrective action) constitute a framework that aids auditors in crafting clear, concise, concrete, complete, and correct audit findings. It ensures the findings are well-documented, actionable, and understandable to stakeholders. Each of these ‘Cs’ plays a crucial role in shaping findings that drive value and improvement in the audited organization.

Classifying the severity of findings is another critical step in the audit process, as it helps prioritize issues and allocate resources effectively. It involves assessing the impact and likelihood of each finding and categorizing them as critical, high, medium, or low. This classification aids in efficiently managing risks and guides the formulation of recommendations. Documenting preliminary findings involves recording observations and insights gained during the audit in a structured and coherent manner. It is about capturing data and synthesizing information into meaningful insights. Proper documentation of preliminary findings lays the groundwork for developing the final audit report.

Lastly, we will reinforce throughout this section that identifying audit findings is an analytical and critical thinking exercise. It involves identifying what is wrong and understanding why and how it can be rectified. It requires a deep understanding of the organization’s information systems, a keen analytical mind, and a systematic approach to problem-solving. Auditors must consider the specific circumstances and nuances of each organization. A significant finding in one context might be less critical in another. Therefore, auditors must thoroughly understand the business, its environment, and its unique challenges. Also, professional judgment must be balanced in identifying audit findings. Auditors must discern which findings are genuinely significant and require attention. This judgment is honed through experience, knowledge, and an understanding of auditing standards and best practices.

The Nature and Role of Audit Findings

An audit finding is an outcome or result an auditor identifies during an audit. These findings should be based on evidence collected and analyzed against specific criteria, such as laws, regulations, or established internal controls and procedures. They are the building blocks of the audit report and play a critical role in the decision-making process within an organization. They provide an objective basis for assessing the effectiveness and efficiency of processes and controls within an organization’s IS environment. Findings help identify areas where the organization excels and, more importantly, areas that require improvement. They are instrumental in risk management and compliance, ensuring the organization adheres to relevant laws, regulations, and industry standards.

Audit findings can vary widely in nature and scope. They can range from simple procedural discrepancies to complex security vulnerabilities. Some common findings include non-compliance with policies, inefficiencies in processes, inadequate controls, and potential areas for cost savings. These findings shape the organization’s strategies and decisions regarding its IS landscape.

The primary role of audit findings is to provide insights into the functioning of an organization’s IS as they highlight issues that need attention, areas where controls might be lacking, and processes that are not as effective as they could be. This insight is invaluable for management to make informed decisions about resource allocation, process improvements, and policy adjustments. Another critical role of audit findings is facilitating accountability and transparency within the organization. They serve as a check and balance, ensuring the organization operates according to its objectives, standards, and regulatory requirements.

Audit findings are about identifying problems and proposing solutions and improvements as they allow the organization to strengthen its IS controls, optimize processes, and enhance overall performance. Effective auditors not only point out issues but also work with management to develop actionable recommendations for improvement. Findings also play a significant role in shaping the organization’s risk management strategies. Identifying areas of vulnerability and potential risks allows the organization to proactively address these issues before they escalate into significant problems. Clear, concise, and constructive communication is essential for auditors to present findings in a manner that is understandable and relevant to the stakeholders. This involves avoiding technical jargon, providing context, and highlighting the implications of the findings.

Lastly, an essential aspect of audit findings is their contribution to continuously improving an organization’s IS environment, as each finding provides an opportunity to learn and grow. Organizations that effectively leverage audit findings are better positioned to adapt to changes, improve efficiency, and comply with evolving standards and regulations.

The Importance of Accurate and Objective Audit Findings

As discussed throughout this textbook, an IS audit is an independent and systematic examination of an organization’s information systems, processes, and controls. Its primary purpose is to assure stakeholders that these systems operate effectively and securely and comply with relevant standards and regulations. Achieving this assurance relies on the IS auditor’s generation of audit findings that are both accurate and objective.

IS audit findings serve as both the outcome of our assurance practices and the means to represent identified risks, vulnerabilities, and potential impacts clearly and concisely. Moreover, they are also led in providing value-added recommendations to management to facilitate the achievement of organizational objectives. Thus, at the core of IS auditing is our ability to capture audit findings accurately and objectively.

By identifying areas of weakness or non-compliance, accurate and objective IS audit findings provide clear guidance on where corrective actions are needed. They facilitate informed decision-making based on reliable information, reducing the risk of ill-advised investments or neglect of critical issues. They also identify vulnerabilities and weaknesses that, if addressed, could lead to security breaches, data loss, or operational disruptions. Collectively, they instill confidence among internal, external, or regulatory stakeholders.

The Five Cs of Effective Audit Findings

Formulating IS Audit findings using the Five Cs framework (Condition, Cause, Criteria, Consequence, and Corrective Action) provides a structured approach to identifying and articulating audit findings. Let’s explore each of these Cs to understand better how they contribute to the effectiveness of IS audit findings.

Condition (What)

“Condition” refers to the specific issue or situation identified during the audit. It is the factual evidence observed by the auditor.

Detailing the condition involves describing what the auditor has found clearly and precisely. It’s about stating the facts as they are, without interpretation or judgment. This clarity is crucial for ensuring that the finding is grounded and verifiable.

Cause (Why)

“Cause” delves into the reason behind the condition and answers why the issue exists. Understanding the cause is essential for addressing the root of the problem rather than just its symptoms.

It requires a deep understanding of the organization’s processes and systems. It’s about connecting the dots between the condition and the underlying factors that led to it.

Criteria (What Should Be)

“Criteria” refers to the standard or benchmark against which the condition is evaluated. It could be company policies, industry standards, legal requirements, or best practices that set expectations for what should happen.

Criteria are essential for establishing the gap between the current state (condition) and the desired state.

Consequence (So What)

“Consequence” is about the impact or ramifications of the condition. It answers the question of the implications if the issue is not addressed. Consequences, including financial losses, reputational damage, regulatory penalties, or operational disruptions, can be wide-ranging. They help stakeholders understand the urgency and importance of addressing the findings. As well as in driving action and garnering support for changes.

Corrective Action (Now What)

“Corrective Action” involves proposing steps to rectify the condition. Corrective actions should be realistic, practical, and tailored to the organization’s context. Effective disciplinary actions consider the organization’s circumstances, resources, and capabilities. They also involve a timeline and a responsible party to implement the action effectively.

Classification of Findings (Severity Levels)

Classification of IA audit findings is pivotal in guiding organizations to prioritize and address issues effectively. Let’s explore the concept of severity levels in audit findings, the criteria used for classification, and its importance in the audit process. Severity levels in audit findings essentially categorize issues based on their impact and urgency. Generally, severity levels are classified into the following four categories :

The classification of audit findings into severity levels should be determined using a structured manner, including the following criteria:

• Impact: The potential damage or consequence of the finding on the organization. This includes financial loss, reputational damage, or operational disruption.
• Likelihood: The probability of the risk associated with the finding materializing. A high probability of occurrence often results in a higher severity level.
• Compliance: The degree to which the finding reflects non-compliance with laws, regulations, or internal policies. Severe non-compliance issues are often rated higher.
• Scope: The extent or breadth of the finding within the organization. Issues affecting multiple departments or systems may be rated more severe.

Classifying findings by severity ensures that resources are allocated appropriately to address the most critical issues for operational continuity and regulatory compliance. Moreover, severity classification helps communicate the urgency and importance of audit findings to stakeholders by providing a clear and structured way to present audit results, facilitating better decision-making and planning.

Classifying findings by severity has its challenges. One significant challenge is subjectivity. IS auditors may assess the severity of findings differently based on their experience and perspective. To mitigate this, progressive IS audit functions must develop standardized criteria and scales for severity classification. Another challenge is the dynamic nature of risks. The severity of a finding can change over time as the organization’s environment and external factors evolve. Continuous monitoring and reassessment are therefore necessary.

To address these challenges and ensure findings are classified effectively, IS auditors must strive to apply the same criteria and standards across all findings to ensure consistency in classification. They must also clearly document the rationale behind the severity classification for each finding. Involving relevant stakeholders in the classification process to comprehensively understand the impact and context also serves as a mitigating solid practice. Lastly, IS auditors must be open to re-evaluating the severity of findings as new information emerges or as the organizational context changes. By mastering this aspect of auditing, future IS auditors can significantly contribute to their organizations’ risk management and improvement efforts.

Documenting Preliminary Audit Findings

To tie in all relevant concepts discussed so far, this section delves into the importance, methodology, and best practices in documenting preliminary audit findings, providing a comprehensive guide for students and future auditors.

As discussed earlier, audit findings are the observations and insights auditors gather during the audit process. Documenting these findings is crucial since they provide the evidence base for the final audit report. They are the raw data that support the auditor’s conclusions and recommendations. Robust documentation also records what was observed, analyzed, and concluded at a particular time. This is valuable for future audits and understanding the historical context of issues. Well-documented findings also facilitate communication among audit team members and with stakeholders. A well-documented audit trail enhances the transparency of the auditing process and holds the auditors accountable for their observations and conclusions.

While each IS audit function may have preferences and guidance published in terms of “how” to document audit findings sufficiently and appropriately, some of the common elements that should be part of such guidance are presented below:

• Gathering Evidence: IS Auditors should collect data, screenshots, system logs, interviews, and other relevant information that substantiate the findings.
• Organizing Information: Gathered information should be arranged coherently and logically. This could involve categorizing findings by systems, processes, or risk areas.
• Descriptive Writing: IS Auditors should describe the findings clearly and concisely, avoiding technical jargon. The goal is to make the documentation understandable to a broad audience.
• Initial Analysis: An initial analysis of the findings must be provided, including identifying potential causes, impacts, and risks associated with the findings.
• Referencing Criteria: IS Auditors must link each finding to the relevant audit criteria, such as policies, procedures, laws, or standards. This contextualizes the findings within the scope of the audit.

Typically, documenting findings as soon as possible after they are observed ensures the accuracy and completeness of the information. IS Auditors should maintain an unbiased tone in their documentation to avoid making assumptions or drawing premature conclusions. They should use clear and precise language, leaving no room for ambiguity. IS Auditors are expected to handle sensitive information carefully, respecting confidentiality and data protection regulations. Lastly, IS auditors should use a standardized format for documentation. This might include templates or predefined structures that ensure consistency across the audit.